[nycphp-talk] Cross domain Logins
Mark Armendariz
nyphp at enobrev.com
Thu Nov 20 19:54:20 EST 2003
WOW, 3 incredible suggestions!!!
Brian, Mark and Hans, Thank you all so much for your methods. I'm going to
get my morning thing moving (yes it is 744 pm) and read over these again
over some coffee to figure out where to go with this.
I've gotten the reply from my client and it turns out these will be on the
same server and if I wish, we can use the same database for the two sites.
This is great news, and I would have probably come up with something fairly
subpar for this, but I'm really going to look into what you guys have given
me for a far superior solution.
I definitely figured grabbing the user agent and remote address info would
prove helpful. Even if it changes due to aol's proxies, etc, they will just
have to enter the password, and continue - but the majority should be
verified appropriately.
The callahead (kinda like a reservation - good for function / variable names
:) is what I has in mind but I wasn't quite sure how to implement it.
And the image thing.. Magnificent! Now doesn't this cause security errors
on IE without some kind of specialized privacy policy that explains the
off-domain image? At least for ie? Getting the image on both sites is not
an issue by any means - Just wondering if it's absolutely a tried and true
solution. Definitely an incredible idea.
OK, dunkin donuts, here I come.
Thank you all for your input!!!
Mark
-----Original Message-----
From: talk-bounces at lists.nyphp.org [mailto:talk-bounces at lists.nyphp.org] On
Behalf Of Brian Pang
Sent: Thursday, November 20, 2003 9:47 AM
To: NYPHP Talk
Subject: Re: [nycphp-talk] Cross domain Logins
The way to do this is to use what is called a "pixel beacon" or "web
beacon."
http://www.webopedia.com/TERM/W/Web_beacon.html
(Of course, PHP won't let you make a GIF, but it's a reasonable
description).
Use PHP to create an image which is called from the "other domain."
When calling that image, pass along login information in the query string
(in some decryptable format).
As part of the image creation, you can set a cookie or session.
Basically, what you'll have is...
Site1.com makes a call to an image on Site2.com as
http://www.site2.com/beacon.php?action=login&username=foo
(ok, not encrypted or anything)
beacon.php generates an image and sets a cookie:
(Sample code, YMMV)
SetCookie("username",$_GET['username']);
Header ("Content-type: image/jpeg");
$im = ImageCreate (1, 1)
or die ("Cannot Initialize new GD image stream"); $background_color =
ImageColorAllocate ($im, 255, 255, 255); $text_color = ImageColorAllocate
($im, 233, 14, 91); ImageString ($im, 1, 5, 5, $_GET['username'],
$text_color); ImageJPEG ($im); ImageDestroy($im);
There, by visiting one domain, you've now set a cookie on the other domain.
The only catch is that it requires a little bit of cooperation between the
webmasters (if they won't put your image/beacon on their page, all is lost).
This technique is regularly used in banner ads and Yahoo! even includes it
in their privacy statements.
http://privacy.yahoo.com/privacy/us/pixels/details.html
I haven't done it yet, but I've been tempted to put ALL of my session and
cookie functions into images, even when not going cross-domain.
>
> Anyone here ever create a cross-domain login system? I'm still
waiting for
> details to see if the domains will have access to the same db or same
> server. I figure one way to do it would be to somehow transfer
session info
> form one domain to the other, but it seems like there's plenty of
> security issues in doing so. I thought maybe passing an md5 encrypted
> string with the username, password form one site to the next might
> work as well,
but I'm
> still not too sure of the security issues, especially considering the
issues
> pointed out a couple weeks back regarding auto-logins.
>
> Anyone have experience with this?
>
> Thanks!
>
> Mark
>
>
_______________________________________________
talk mailing list
talk at lists.nyphp.org
http://lists.nyphp.org/mailman/listinfo/talk
More information about the talk
mailing list